https://www.dnsknowledge.com/unbound/configure-unbound-dns-over-tls-on-linux
Unbound is a free and open source BSD licensed caching DNS resolver. It also works with DNSSEC and in recursive mode. Coded in C programming language. It means it runs on Linux, Windows, *BSD and Unix-like operating system.
Open another terminal session and type DNS queries:
![Verify unsecure DNS over Internet in Linux]()
From the above image, it is clear that unencrypted DNS leaks data to anyone who is monitoring your network or Internet connection. In most cases, your ISP will sell data to 3rd parties or they might build a profile about you.
Make sure LAN is allowed to access this server:
![After configure encrypted unbound DNS over TLS on CentOS Linux]()
Why use encrypted unbound DNS over TLS on CentOS Linux?
DNS is an old protocol. It was not created with privacy in mind. Anyone can snoop your unencrypted DNS traffic even though connected to privacy and security enhanced HTTPS based web service.How to see DNS queries sent around the internet in an unencrypted format
Open the terminal application on macOS or Linux based system or your router. Type the following command to capture traffic:tcpdump -vv -x -X -s 1500 -i 'port 53'
tcpdump -vv -x -X -s 1500 -i br0 'port 53'
tcpdump -vv -x -X -s 1500 -i wifi0 'port 53'
tcpdump -vv -x -X -s 1500 -i eth1 'port 53' Open another terminal session and type DNS queries:
host google.com 1.1.1.1
host dnsknowledge.com 8.8.8.8
One can see all DNS queries/data with an unencrypted format (click to enlarge image)
From the above image, it is clear that unencrypted DNS leaks data to anyone who is monitoring your network or Internet connection. In most cases, your ISP will sell data to 3rd parties or they might build a profile about you.
How to install unbound in CentOS Linux 7
Type the following commands:# yum install epel-release
# yum update
# yum install unboundResolving Dependencies
--> Running transaction check
---> Package unbound.x86_64 0:1.6.6-1.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
unbound x86_64 1.6.6-1.el7 base 673 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 673 k
Installed size: 2.4 M
Is this ok [y/d/N]: y
Turn on service
# systemctl enable unbound
Created symlink from /etc/systemd/system/multi-user.target.wants/unbound.service to /usr/lib/systemd/system/unbound.service.Configure encrypted unbound DNS over TLS on CentOS Linux
Update /etc/unbound/unbound.conf# vim /etc/unbound/unbound.confMake sure LAN is allowed to access this server:
#control which clients are allowed to make (recursive) queries
access-control: 127.0.0.1/32 allow_snoop
access-control: ::1 allow_snoop
access-control: 127.0.0.0/8 allow
access-control: 192.168.1.0/24 allow
Secure DNS over TLS in Unbound configuration on CentOS
#Adding DNS-Over-TLS support
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
## Cloudflare DNS
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
## Also add IBM IPv6 Quad9 over TLS
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853
## IPv6 Cloudflare DNS over TLS
forward-addr: 2606:4700:4700::1111@853
forward-addr: 2606:4700:4700::1001@853
How do I verifying the certificates of the forwarders with this setup?
The following will only work with the latest version of unbound and not with the current version of unbound server shipped with the CentOS 7.x. Update config as follows:#Adding DNS-Over-TLS support
server:
tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
forward-zone:
name: "."
forward-ssl-upstream: yes
## Cloudflare DNS
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
## Also add IBM IPv6 Quad9 over TLS
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
## IPv6 Cloudflare DNS over TLS
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
Start/restart the service
# systemctl restart unboundTest it
host google.com your-server-ip-here
host google.com 192.168.1.254Verify privacy and security settings with the tcpdump
tcpdump -vv -x -X -s 1500 -i 'port 853'
tcpdump -vv -x -X -s 1500 -i br0 'port 853' 
All dns data encrypted (click to enlarge image)
Conclusion
This quick tutorial showed how encrypting your DNS traffic can help privacy protect your internet browsing. By using Unbound DNS cache server, you are able to allow CentOS Linux 7.x to take advantage of DNS-over-TLS to help encrypt web traffic. I strongly suggest that you use the following pages for more information about using Unbound as a DNS privacy server:- Unbound home page/help page
- Verify TLS cert at nlnetlabs when usign DNS over TLS
- IBM quad9 home page
- Cloudflare DNS home page